28 February 2018
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.0571 Multiple SAML libraries may allow authentication bypass via incorrect XML canonicalization and DOM traversal 28 February 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: python-saml ruby-saml saml2-js omniauth-saml Shibboleth openSAML Publisher: CERT/CC Operating System: Windows UNIX variants (UNIX, Linux, OSX) Apple iOS Android Impact/Access: Access Privileged Data -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-0489 CVE-2017-11430 CVE-2017-11429 CVE-2017-11428 CVE-2017-11427 Original Bulletin: https://www.kb.cert.org/vuls/id/475445 Comment: This advisory affects multiple libraries implementing SAML, which will have different patch schedules. - --------------------------BEGIN INCLUDED TEXT-------------------- Vulnerability Note VU#475445 Multiple SAML libraries may allow authentication bypass via incorrect XML canonicalization and DOM traversal Original Release date: 27 Feb 2018 | Last revised: 27 Feb 2018 Overview Multiple SAML libraries may incorrectly utilize the results of XML DOM traversal and canonicalization APIs in such a way that an attacker may be able to manipulate the SAML data without invalidating the cryptographic signature, allowing the attack to potentially bypass authentication to SAML service providers. Description CWE-287: Improper Authentication Security Assertion Markup Language (SAML) is an XML-based markup language for security assertions regarding authentication and permissions, most commonly used for single sign-on (SSO) services. Some XML DOM traversal and canonicalization APIs may be inconsistent in handling of comments within XML nodes. Incorrect use of these APIs by some SAML libraries results in incorrect parsing of the inner text of XML nodes such that any inner text after the comment is lost prior to cryptographically signing the SAML message. Text after the comment therefore has no impact on the signature on the SAML message. A remote attacker can modify SAML content for a SAML service provider without invalidating the cryptographic signature, which may allow attackers to bypass primary authentication for the affected SAML service provider The following CVEs are assigned: CVE-2017-11427 - OneLogin's "python-saml" CVE-2017-11428 - OneLogin's "ruby-saml" CVE-2017-11429 - Clever's "saml2-js" CVE-2017-11430 - "OmniAuth-SAML" CVE-2018-0489 - Shibboleth openSAML C++ More information is available in the researcher's blog post. Impact By modifying SAML content without invalidating the cryptographic signature, a remote, unauthenticated attacker may be able to bypass primary authentication for an affected SAML service provider. Solution Apply updates Affected SAML service providers should update software to utilize the latest releases of affected SAML libraries. Please see the vendor list below for more information. Vendor Information (Learn More) Vendor Status Date Date Updated Notified Clever, Inc. Affected 24 Jan 2018 26 Feb 2018 Duo Security Affected - 22 Feb 2018 OmniAuth Affected 24 Jan 2018 06 Feb 2018 OneLogin Inc Affected 24 Jan 2018 27 Feb 2018 Shibboleth Consortium Affected 24 Jan 2018 06 Feb 2018 AssureBridge Not Affected - 27 Feb 2018 Okta Inc. Not Affected 29 Jan 2018 27 Feb 2018 Box Unknown 23 Feb 2018 23 Feb 2018 Cisco Unknown 23 Feb 2018 23 Feb 2018 Danish e-Infrastructure Cooperation Unknown 24 Jan 2018 24 Jan 2018 (WAYF) Entr'ouvert Unknown 24 Jan 2018 24 Jan 2018 GitHub Unknown 24 Jan 2018 24 Jan 2018 Google Unknown 23 Feb 2018 23 Feb 2018 Microsoft Unknown 23 Feb 2018 23 Feb 2018 Pivotal Software, Inc. Unknown 24 Jan 2018 24 Jan 2018 If you are a vendor and your product is affected, let us know. CVSS Metrics (Learn More) Group Score Vector Base 6.3 AV:N/AC:M/Au:S/C:C/I:N/A:N Temporal 4.9 E:POC/RL:OF/RC:C Environmental 4.9 CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND References * https://duo.com/blog/ duo-finds-saml-vulnerabilities-affecting-multiple-implementations * https://duo.com/labs/psa/duo-psa-2017-003 * https://shibboleth.net/community/advisories/secadv_20180112.txt * https://cwe.mitre.org/data/definitions/287.html Credit Thanks to Kelby Ludwig of Duo Security for reporting this vulnerability. This document was written by Garret Wassermann. Other Information * CVE IDs: CVE-2017-11427 CVE-2017-11428 CVE-2017-11429 CVE-2017-11430 CVE-2018-0489 * Date Public: 27 Feb 2018 * Date First Published: 27 Feb 2018 * Date Last Updated: 27 Feb 2018 * Document Revision: 67 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to email@example.com and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: firstname.lastname@example.org Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWpYBLox+lLeg9Ub1AQghfA//RJAcK3ftBIqPIuswbbDUHTF82VL6HAlt k1sjd/waKWDw+WFFWJPwy/roTO5nNKYrdO/1daAQB9DbiUzXpFPe1A/19a9BwCy9 lV/pNL6xWN2d+mZCguyqnSz+efUxab/HBxm301DQdaQ0KgQDlA6szlZAxOPuIkYN dtNPT/5crmiHW0Nd83Q1j5KPY/K22NnrSIhy6+e93se75kE29tTbRI3s4kB43AM1 J/RncFEXiSPNKolTO+eu1dQfJ1o6lAbLqJ/EHEMgYqQ7QK+htK8uZc7uwPL7BodQ FA1f8aER01C6TZUIlC7Q4SW1KBURnfdl3+m5Z8HM3hOKmybe03vqY9L5bWvhVLsV b5LUtDS5A2OU+xFrTm8L6nYcGcriC8AxE29HReP4VvCjuQv28SzSPUhaQPys2eIL 9Q29ZI8WgoQxXujJeiM6BVBqKGdJ0ucy8s6dx6lytrV4my0uqzUPkGixE2Yj6e76 zED0eXbKNAX4yQx10lomnAnEj+zOhvQr5VXy+3Aymb9SDmkVuo8qVqTpNFrqfiOt 2TkZasC5jilaP3hTdujfriuqH8708VHWBXqlIWnxZ0bTU8isRxOxx7hV5Bj02NuQ 2kUoMuSdN3Xp7JlPXmWMaYXtj61EFPS7kV3D10JMbaSG/eYFcHBefJC2bZyexkfQ sfeP1813XFg= =5ePt -----END PGP SIGNATURE-----